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Foreword 


The European Data Protection Board’s (EDPB) mission is to 
ensure the consistent application of data protection rules 
across the European Economic Area (EEA). This is enshrined 
in the General Data Protection Regulation (GDPR), which has 
opened the door to a new era of respect for data subject 
rights. 


The GDPR is not just valuable insofar as it has established 
a harmonised legal framework for data protection across 
the EEA - one that has expanded and strengthened 
national data protection authorities’ powers. The GDPR’s 
entry into force has also encouraged greater awareness of 
data protection rights among individuals and organizations 
alike. This is more important than ever, given the increasing 
presence of data-dependent technologies in almost every 
facet of our lives. 


As we approach the two-year anniversary of the GDPR’s 
entry into application, | am convinced that the cooperation 
between EEA DPAs will result in the emergence of a common 
data protection culture. Some challenges remain, but the 
EDPB is working on solutions to overcome these and to 
make sure that the key cooperation procedure concepts are 
applied consistently. 


As the EDPB, we contribute to the consistent interpretation 
of the GDPR by adopting Guidelines and Opinions. In 2019, 





we adopted five new Guidelines on topics such as privacy by 
design and default, and the right to be forgotten, as well as 
two Guidelines in their final, post-consultation versions. We 
also adopted 16 Consistency Opinions covering, among other 
topics, Data Protection Impact Assessments, accreditation 
requirements for code of conduct monitoring bodies, and the 
interplay between the ePrivacy Directive and the GDPR. 


This was possible thanks to the consistent efforts of all 
actors within the EDPB, as well as the increased input and 
engagement from our stakeholders via events, workshops 
and surveys. 


As we look forward to the coming year, we feel ready 
to tackle the outstanding items in our two-year working 
programme. We will continue to adopt guidance, to promote 
the cooperation on cross-border enforcement, and to advise 
the EU legislator on data protection issues. 


More and more countries outside the EU are adopting data 
protection legislation. In doing so, they often base their 
legislation on the fundamental principles of the GDPR. | am 
confident that, in a not too distant future, we will see the 
protection of data subject rights become a global norm. 
This will lay the foundation for more secure data flows and 
increased transparency, as well as improved trust in the rule 
of law. 


Andrea Jelinek 
Chair of the European Data Protection Board 
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2019 — an overview 


2.1. RULES OF PROCEDURE 
The Rules of Procedure (RoP), which outline the EDPB’s most 
important operational rules, were adopted during the first 
plenary meeting on 25 May 2018. 


In 2019, the EDPB adopted revised wording for Articles 8, 10, 22 
and 24 of its RoP, aimed at clarifying requirements to be granted 
observer status, procedures following the adoption of Opinions, 
and voting procedures during EDPB's plenary meetings. 


The EDPB also adopted a new Article 37 RoP establishing a 
Coordinated Supervision Committee in the context of data 
processing by large information systems in use within the EU 
institutions, as well as by EU bodies, offices and agencies. 


In 2019, the Committee was in charge of the coordinated 
supervision of the IMI system and Eurojust. In 2020, this 
will be extended to include the European Public Prosecutor 
Office (EPPO). In the future, all coordinated supervision of 
large EU information systems, bodies, offices and agencies 
will gradually be moved to the Committee. 


2.2. THE EDPB SECRETARIAT 

The EDPB Secretariat ensures that all of the EDPB’s activities 
comply with the legal framework applicable to the EDPB 
as an EU body and with its RoP. It is the main drafter for 
Consistency Opinions and Decisions, and serves as an 
institutional memory, ensuring documents’ consistency over 
time. The role of the EDPB Secretariat is also to facilitate the 
EDPB's fair and effective decision-making and to act as a 
gateway for clear and consistent communication. 


As part of its support activities, the EDPB Secretariat has 
developed IT solutions to enable effective and secure 
communication between the EDPB members, including the 
Internal Market Information System (IMI). 


In 2019, the EDPB Secretariat organised 11 plenary meetings 
and 90 expert subgroup meetings. The different expert 
subgroups focus on specific areas of data protection and 
assist the EDPB in performing its tasks. 


Finally, the EDPB Secretariat assists the Chair in preparing 
for and presiding over the plenary meetings, as well with her 
speaking engagements. 


2.3. EDPB ACTIVITIES IN 2019 

2.3.1. General Guidance 

In 2019, the EDPB adopted five new Guidelines aimed 
at clarifying the range of provisions under the GDPR. 
The adopted Guidelines addressed codes of conduct and 
monitoring bodies at a national and European level, as well 
as clarifying the processing of personal data under a range 
of circumstances, namely during the provision of online 
services, through video devices, on the principles of Data 
Protection by Design & Default, and related to the Right to 
be Forgotten by search engines. 


In addition, three Guidelines adopted in 2018 were approved by 
the EDPB in their final form in 2019, following public consultations. 
These Guidelines clarify accreditation and certification criteria 
and the territorial scope outlined in the GDPR. 


The EDPB also issued a recommendation on the draft list 
submitted by the EDPS on processing operations which 
require a Data Protection Impact Assessment (DPIA). 


2.3.2. Consistency Opinions 

To guarantee the consistent application of the GDPR in cases 
with cross-border implications, the EDPB issues Consistency 
Opinions. The competent SA has to take utmost account of 
the opinion. 
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In 2019, the EDPB adopted 16 Consistency Opinions. Eight 
of these concerned the draft lists submitted by SAs on 
processing operations requiring a DPIA, as well as those 
exempt from it. The remaining Opinions regarded transfers 
of personal data between EEA and non-EEA Financial SAs 
and the interplay between the ePrivacy Directive and the 
GDPR, as well as clarifying Standard Contractual Clauses 
(SCCs), Binding Corporate Rules (BCRs), SAs’ competences, 
and Accreditation Criteria for monitoring bodies. 


The EDPB also acts as a dispute resolution body and issues 
binding decisions. Since 25 May 2018, however, no dispute 
resolutions have been initiated. This suggests that, to date, 
SAs have been able to reach consensus on all current cross- 
border cases. 


2.3.3. Legislative consultation 

The EDPB advises the European Commission on any issue 
related to the protection of personal data, including the 
adequacy of the level of data protection in third countries 
or international organisations. In 2019, the EDPB issued 
reports on the Second and Third Annual Review of the EU- 





U.S. Privacy Shield adequacy decision, conducted by the 
European Commission to assess its robustness and practical 
implementation. 


In addition, the EDPB issued an Opinion on the interplay 
between the Clinical Trials Regulation (CTR) and the GDPR, 
requested by the European Commission’s Directorate- 
General for Health and Food Safety (DG SANTE). 


The EDPB is also subject to Article 42 of Regulation 
2018/1725 on legislative consultation. This allows the EDPS 
and the EDPB to coordinate their work with a view to issuing 
a Joint Opinion. In 2019, the EDPB and the EDPS adopted a 
Joint Opinion concerning the data protection aspects of the 
eHealth Digital Service Infrastructure. This Opinion was also 
issued following DG SANTE’s request. 


The EDPB also adopted, on its own initiative, a statement on the 
draft ePrivacy Regulation and issued a contribution on the data 
protection aspects of the Budapest Convention on Cybercrime. 


2.3.4. Other documents 
In 2019, the EDPB adopted two statements. The first_one 
concerned the US Foreign Account Tax Compliance Act 





(FATCA), following the European Parliament's resolution on 
the adverse effects of the FATCA on EU citizens. The second 





one regarded use of personal data in the course of political 
campaigns, in light of the 2019 European Parliament elections 
and other elections taking place across the EU and beyond. 


To address issues of data protection in the event of a no- 
deal Brexit, the EDPB adopted two information notes, 
on data transfers from the EEA to the UK under the GDPR, 
and on BCRs for companies having the UK Information 
Commissioner's Office as Lead SA. 


Following a request made by the European Parliament's 
Committee on Civil Liberties, Justice and Home Affairs 
Committee (LIBE), the EDPB issued the LIBE report on the 
implementation_of GDPR, providing an overview of the 
implementation and enforcement of the GDPR covering both 
the cooperation mechanism and the consistency findings. 


On 9 July 2019, the EDPB Chair pleaded before the Court of 
Justice of the European Union, which had requested an oral 


pleading on Case C-311/18 (Facebook Ireland and Schrems). 


2.4. CONSULTATIONS 

Following the preliminary adoption of Guidelines, the EDPB 
organises public consultations to allow stakeholders and 
citizens to share their views and provide additional input. In 
2019, the EDPB launched five such consultations, concerning 
its Guidelines on Codes of Conduct, Certification Criteria, 
processing of personal data in online services and video 
devices, Data Protection by Design and Default, and the 
Right to be Forgotten. 


The EDPB organises stakeholder events to gather views on 
key issues and to inform the development of future guidance. 
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In 2019, the EDPB organised three such events focused on 
the revised Payments Services Directive (PSD2), on the 
concepts and responsibilities of controllers and processors, 
and on data subject rights. 


As part of the annual review of the EDPB activities — established 
by Article 71.2 GDPR - the EDPB conducted a stakeholder 
survey for the second year in a row. The survey, which focused 
on the content and adoption process of the EDPB’s Guidelines, 
aimed to understand to what extent stakeholders find the 
guidelines helpful and practical in interpreting the GDPR’s 
provisions. 


Respondents included organisations and individual companies 
from the financial, banking and insurance sectors, wholesale 
and retail trade, information technologies, human health and 
social work activities and fundamental rights. The majority 
of respondents were based in Europe, and over 60 percent 
represented small entities. 


64 percent of stakeholders who participated in the survey 
found the Guidelines to be useful, while 46 percent considered 
them to be sufficiently pragmatic. Nearly 80 percent found 
the Guidelines easily accessible; this was up from 64 percent 
in 2018. Other positive feedback referenced the Guidelines’ 
real-life examples and wide applicability preventing national 
fragmentation. 


Respondents encouraged further interpretative work to clarify, 
among other things, the relationship between controller and 
processor and the legal basis of legitimate interest. Compliance 
with the GDPR for SMEs remains a challenge, but stakeholders 
noted that the EDPB’s Guidelines are a useful tool in supporting 
its application. Overall, 40 percent of stakeholders classified the 
consultative process as ranging from appropriate to satisfying. 


2.5. SUPERVISORY AUTHORITIES ACTIVITIES IN 2019 
Under the GDPR, the European Economic Area (EEA) Member 
States’ SAs cooperate closely to ensure that individuals’ data 
protection rights are protected consistently across the EEA. 
One task for the SAs is to assist one another and coordinate 
decision-making in cross-border data protection cases. 


During the reporting period, SAs identified certain challenges 
when implementing the cooperation and consistency 
mechanism. In particular, the patchwork of national procedural 
laws was found to have an impact on the cooperation 
mechanism, due to differences in complaint handling 
procedures, position of the parties in the proceedings, 
admissibility criteria, duration of proceedings, deadlines, etc. 


In addition, SAs’ effective application of the powers and 
tasks attributed to them by the GDPR depends largely on the 
resources they have available. This applies in particular to 
the One-Stop-Shop (OSS) mechanism, the success of which 
is contingent on the time and effort SAs can dedicate to 
individual cases and cooperation. 


Despite these challenges, the EDPB is convinced that the 
cooperation between SAs will result in a common data 
protection culture and consistent monitoring practices. One 
single set of rules has proved to be advantageous for data 
controllers and processors within the EEA, having brought 
greater legal certainty. It has also benefitted individuals who 
have seen their data subject rights reinforced. 


Since the entry into application of the GDPR, there have 
been 807 cross-border cooperation procedures in the IMI 
system, out of which 585 cases were started in 2019. Of these 
cross-border cooperation procedures, 425 resulted from a 
complaint, while the remaining originated from other sources, 
such as investigations, legal obligations or media reports. 


The OSS mechanism demands cooperation between the 
Lead Supervisory Authority (LSA) and the Concerned 
Supervisory Authorities (CSAs). The LSA leads the 
investigation and plays a key role in the process of reaching 
consensus between the CSAs, in addition to working to reach 
a coordinated decision with regard to the data controller or 
processor. By the end of 2019, 142 OSS procedures were 
initiated by SAs, 79 of which resulted in a final decision. 


The mutual assistance procedure allows SAs to ask for 
information from other SAs or to request other measures 
for effective cooperation, such as prior authorisations or 
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investigations. Since 25 May 2018, 2,542 mutual assistance 
procedures have been triggered. Of these procedures, the 
overwhelming majority (2,427) were informal consultation 
procedures, while 115 were formal requests. 


In 2019, no joint operations were carried out by SAs. 


Under the GDPR, national SAs have different corrective 
measures at their disposal. In 2019, SAs identified a number 
of violations of the GDPR and exercised their corrective 
powers accordingly. 


Violations included failure to implement provisions such 
as privacy by default and design, right to access or right to 
erasure. Many cases highlighted a lack of proper technical and 
organisational measures for ensuring data protection, which 
led to data breaches. Several significant incidents involved 
the processing of special categories of data, such as political 
opinions, credit information or biometric data. The entities 
fined were from both the private and the public sector. 
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Main objectives for 2020 


By the end of 2019, halfway through its work plan, the EDPB 
had made significant progress across its stated objectives 
and is advancing towards completing them in its second 
working year. 


In 2020, the EDPB will aim to provide guidance on data 
controllers and processors, data subject rights and the concept 
of legitimate interest. It will also intensify its work in the 
context of advanced technologies, such as connected vehicles, 
blockchain, artificial intelligence, and digital assistants. 


The EDPB will continue to advise the European Commission 
On issues such as cross-border e-Evidence data access 
requests, the revision or adoption of adequacy decisions for 
data transfers to third countries, and any possible revision 
of the EU-Canada Passenger Name Record (PNR) agreement. 


In addition to the work outlined in the work plan, in 2020, 
the EDPB is to provide guidance on the implications for 


data protection in the context of the fight against COVID-19, 
both at its own initiative and upon consultation by the 
European Commission. 


The EDPB 
stakeholder relationships and developing new ones. The 
EDPB Members, as well as the EDPB Chair and Deputy 
Chairs, will continue participating in relevant conferences 


is also committed to deepening existing 


and speaking engagements. 


The EDPB Secretariat will continue to ensure a harmonised 
communication approach. This includes continuing to drive 
public engagement with the EDPB’s activities through its 
social media presence, as well as enhancing cooperation 
with SAs. To this end, the EDPB will maintain and strengthen 
the network of SAs’ press and communications officers. 





Contact details 


Postal address: 
Rue Wiertz 60, B-1047 Brussels 


Office address: 
Rue Montoyer 30, B-1000 Brussels 


Email: 
edpbiedpb.europa.eu 
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